Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
24-04-2024 01:31
Static task
static1
Behavioral task
behavioral1
Sample
PI88009454 007865EQ.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
PI88009454 007865EQ.exe
Resource
win10v2004-20240226-en
General
-
Target
PI88009454 007865EQ.exe
-
Size
672KB
-
MD5
c3cf30f78c7564162412228388adb129
-
SHA1
e7e3ea2f0f077d7e581c91f983b44d578355620d
-
SHA256
f8bb3c7c28ad6279b257469ae7e4c3e1952f50588894305ae473652add17a136
-
SHA512
9ed98d8f904247992a53b8aa929ecde95b8a4ff6fe938cf8181884de0eea8d719da69eacb74892a9dc79b4c8b2e2ed0b9d95706e967af4dc4547f00d52e364bb
-
SSDEEP
12288:PZy9zrtb7BBj6EceQ9A0Q9iuFMiE8I2QrhhZQzigN+OdYVsZlN/:BeXt3B16XeQ9A/nE8IlWGgN+C5
Malware Config
Extracted
Protocol: ftp- Host:
ftp.klptruck.hu - Port:
21 - Username:
[email protected] - Password:
kCu}[Z7z+)S[
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.klptruck.hu - Port:
21 - Username:
[email protected] - Password:
kCu}[Z7z+)S[
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 35 ip-api.com -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
PI88009454 007865EQ.exepid process 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe 4292 PI88009454 007865EQ.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PI88009454 007865EQ.exedescription pid process Token: SeDebugPrivilege 4292 PI88009454 007865EQ.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PI88009454 007865EQ.exe"C:\Users\Admin\AppData\Local\Temp\PI88009454 007865EQ.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4292
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3716 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:81⤵PID:3512
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4292-0-0x0000000074B80000-0x0000000075330000-memory.dmpFilesize
7.7MB
-
memory/4292-1-0x00000000002B0000-0x000000000035E000-memory.dmpFilesize
696KB
-
memory/4292-2-0x0000000005310000-0x00000000058B4000-memory.dmpFilesize
5.6MB
-
memory/4292-3-0x0000000004D60000-0x0000000004DF2000-memory.dmpFilesize
584KB
-
memory/4292-4-0x0000000004F80000-0x00000000052D4000-memory.dmpFilesize
3.3MB
-
memory/4292-5-0x0000000004F70000-0x0000000004F80000-memory.dmpFilesize
64KB
-
memory/4292-6-0x0000000004F00000-0x0000000004F0A000-memory.dmpFilesize
40KB
-
memory/4292-7-0x0000000006730000-0x00000000067D0000-memory.dmpFilesize
640KB
-
memory/4292-8-0x0000000007B30000-0x0000000007B48000-memory.dmpFilesize
96KB
-
memory/4292-9-0x0000000074B80000-0x0000000075330000-memory.dmpFilesize
7.7MB
-
memory/4292-10-0x0000000007B50000-0x0000000007B5E000-memory.dmpFilesize
56KB
-
memory/4292-11-0x0000000007B60000-0x0000000007B74000-memory.dmpFilesize
80KB
-
memory/4292-12-0x00000000025C0000-0x0000000002644000-memory.dmpFilesize
528KB
-
memory/4292-13-0x000000000A310000-0x000000000A3AC000-memory.dmpFilesize
624KB
-
memory/4292-14-0x000000000A2B0000-0x000000000A2F2000-memory.dmpFilesize
264KB
-
memory/4292-15-0x000000000D6E0000-0x000000000D746000-memory.dmpFilesize
408KB
-
memory/4292-16-0x0000000004F70000-0x0000000004F80000-memory.dmpFilesize
64KB
-
memory/4292-17-0x0000000007D20000-0x0000000007D70000-memory.dmpFilesize
320KB